GDPR FAQs

When will the GDPR come into effect?

Who does GDPR apply to?

GDPR applies globally and companies outside EU will have to comply with the Regulation if they process personal data of EU data subjects in connection with:

“Offering of goods or services” (payment is not required); or

“Monitoring” their behavior within the EU

How can a business demonstrate and confirm that it is in compliance with the Regulation?

All businesses getting affected by GDPR will need to update or create suitable policies that set out how you process personal data of data subject.

Businesses also need to consider other compliance measures, including setting up a clear compliance structure, allocating responsibility for compliance, staff training and audit.

Does GDPR or any other authority need to do the inspection of my business and data and give a certification about compliance?

No, it does not require any certification. GDPR is a law and not any standard hence there is no certification required. Even if someone issue you certificate you still run the risk of being non-compliant.

What kind of personal information/data does the GDPR apply to?

GDPR has been made as a law to protect the personal data of EU citizens. Personal Data means any information relating to an identified or identifiable data subject i.e. Name, an identification number, address, an IP address or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that data subject.

Who is a data subject?

A natural person whether minor or major is data subject

Do we need to appoint a Data Protection Officer (DPO)?

DPO is required to be appointed only in the case of (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in the large-scale processing of sensitive personal data

How does the GDPR affect policy on data breaches?

GDPR regulation covers data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to Authorities without undue delay or within 72 hours or and to affected individuals without undue delay.

When can data subjects access the data which is stored by the company?

The data subject can ask for access at reasonable intervals, and controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data. Consumers have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it.

How does GDPR facilitate individuals to ensure privacy?

GDPR makes it considerably easier for individuals to bring private claims against data controllers and processors. According to the Article 77, individuals enjoy the right to lodge a complaint with a supervisory authority.

Are data flow diagrams mandatory under GDPR?

Data flow diagrams are mandatory as they are used to identify the data flow towards various streams, which are crucial in determining the requirements for GDPR that the organizations must comply with.

What happens if a consumer withdraws consent?

In such situation, controller will have to stop processing that individual’s personal data, although in some cases controller may be able to rely on an alternative processing condition. Withdrawal of consent may also give the individual the right to be forgotten, i.e. have their data erased.